Pre-authenticated calling for voice applications

ABSTRACT

Architecture for providing pre-authenticated information from an endpoint for subsequently authenticating a device and/or user associated with the previously-authenticated information. A pre-authentication module of the architecture can be a trust component as part of an application that facilitates the utilization of user information and/or endpoint information in a media session protocol message to replace information that would otherwise be gathered via a dialog. In the context of IP-based voice communications, a call can be made from a client that is pre-authenticable, and no longer requires that an IP-based telephone interact with the phone user to facilitate sign-on.

BACKGROUND

Technological advances in digital communications have revolutionizedtelephony by providing alternative means of voice communications thanthat provided by traditional analog telephone systems. For example, IP(Internet protocol) telephony is a form of telephony which uses theTCP/IP suite of protocols popularized by IP networks such as theInternet to transmit digitized voice data. The routing of voiceconversations over the Internet or other IP networks is commonly calledvoice-over-IP (VoIP). Digital telephony was introduced to improve voiceservices, but was subsequently found to be very useful in the creationof new network services because of faster data transfer over telephonelines.

Media session protocols such as session initiation protocol (SIP) can beused for creating, modifying, and terminating IP sessions with one ormore participants. SIP sessions can include IP telephone calls,multimedia distribution, and multimedia conferences. The SIP protocolsolves a need for a signaling and call setup protocol for IP-basedcommunications that supports call processing functions and featurespresent in the public-switched telephone network by using proxy serversand user agents.

However, in such digital systems, authentication is important to preventunauthorized users from accessing networks and network services. Theauthentication (or identity verification) of telephone callers and/orcaller devices is a general problem for telephony services, automated ornot. Since the implementation of ANI (automatic number identification)or the telephone number from which a call originates (commonly referredto as “caller id”) is oftentimes not available, or more importantly, canbe spoofed, voice applications and services typically have to implementmethods of caller authentication that are both costly to develop andcumbersome to the user. Such methods include interactive dialogs wherethe user needs to provide a PIN, confidential information, and/orautomated speaker verification (a costly technology in itself).

“Single sign-on” is a concept gaining popularity where an authenticationmodule provides access to a multiplicity of services based on a single“sign-on” or authentication process. While this also has the goal ofreducing the need to provide credentials to multiple services, it stillrequires at least one sign-on to take place. Given the ubiquitous natureof mobile devices (e.g., cell phones) and computing devices, vendorscould gain a significant commercial advantage by providing a moreefficient and effective authentication mechanism.

SUMMARY

The following presents a simplified summary in order to provide a basicunderstanding of novel embodiments described herein. This summary is notan extensive overview, and it is not intended to identify key/criticalelements or to delineate the scope thereof. Its sole purpose is topresent some concepts in a simplified form as a prelude to the moredetailed description that is presented later.

The disclosed architecture includes a pre-authentication module orapplication that removes the need for authentication dialogs thatrequire user interaction by utilizing credentials available from apre-authenticated or trusted endpoint (e.g., a SIP-capable server). Thiscan also include the known security of the media session protocol, whichcan be a session initiation protocol (SIP) connection. In the context ofIP-based voice communications, in that a call can now be made from aclient that is pre-authenticable, no longer is it required that anIP-based telephone sign-on.

Generally, the pre-authentication module of the architecture can be anapplication that facilitates the utilization of user information and/orendpoint information in media protocol messages (e.g., SIP-based) toreplace information that would otherwise be gathered via a dialog, inorder to improve the efficiency of the communication and for enhancingsecurity/privacy of communications.

Additionally, user profile information and personality information, forexample, can be accessed to provide a more robust implementation,particularly in the context of an automated attendant and associateddialog.

To the accomplishment of the foregoing and related ends, certainillustrative aspects are described herein in connection with thefollowing description and the annexed drawings. These aspects areindicative, however, of but a few of the various ways in which theprinciples disclosed herein can be employed and is intended to includeall such aspects and their equivalents. Other advantages and novelfeatures will become apparent from the following detailed descriptionwhen considered in conjunction with the drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates a computer-implemented authentication system inaccordance with the novel architecture.

FIG. 2 illustrates a more detailed implementation of a system forpre-authentication processing.

FIG. 3 illustrates a system for applying selectivity to applicationservices or functionality based on the pre-authenticated credentials.

FIG. 4 illustrates a system where different services fromcorrespondingly different applications can be accessed based on thepre-authenticated credentials information.

FIG. 5 illustrates a system that employs a machine learning andreasoning (LR) component which facilitates automating one or morefeatures.

FIG. 6 illustrates one or more sources of credentials information thatcan be received and processed by the trust component forpre-authentication credentials.

FIG. 7 illustrates a method of authentication processing.

FIG. 8 illustrates a method of processing user profile informationassociated with the authenticated credentials.

FIG. 9 illustrates a method of call processing using an automatedattendant and pre-authenticated credentials.

FIG. 10 illustrates a method of processing user interaction and behaviorinformation based on pre-authenticated credentials.

FIG. 11 illustrates a method of call processing using a private virtualassistant.

FIG. 12 illustrates a method of processing user call information basedon the pre-authenticated credentials.

FIG. 13 illustrates a block diagram of a computing system operable toexecute pre-authentication credential creation and/or processing inaccordance with the disclosed architecture.

FIG. 14 illustrates a schematic block diagram of an exemplary computingenvironment that can facilitate execute pre-authentication credentialcreation and/or processing in accordance with the disclosedarchitecture.

DETAILED DESCRIPTION

The disclosed architecture eliminates the previously-required need tointeract with dialog systems, for example, to provide information forobtaining access to a network and/or network services. Conventionally,for example, conference call applications typically require the entry ofa participant code and/or leader code in order to join and/or enable theconference. These are cumbersome and oftentimes annoying userauthentication steps. Contrary to conventional mechanisms, the disclosedarchitecture implements a call or communications application which caninclude a pre-authentication module that eliminates conventionalauthentication steps, at least for IP-based callers. The module cansupply the identity of the caller in the media session protocol (e.g.,session initiation protocol (SIP)) communications with the applicationover a secure connection (e.g., using TLS (transport security layer)).

Reference is now made to the drawings, wherein like reference numeralsare used to refer to like elements throughout. In the followingdescription, for purposes of explanation, numerous specific details areset forth in order to provide a thorough understanding thereof. It maybe evident, however, that the novel embodiments can be practiced withoutthese specific details. In other instances, well-known structures anddevices are shown in block diagram form in order to facilitate adescription thereof.

Referring initially to the drawings, FIG. 1 illustrates acomputer-implemented authentication system 100 in accordance with thenovel architecture. The system 100 can include a trust component 102 forreceiving and processing credentials from a trusted entity 104 that havealready been authenticated (hence, pre-authenticated credentials). Forexample, the trusted entity 104 can be a source of log-in informationsuch as username, password, PIN, network services, and so on. In otherwords, the trusted entity 104 is a component that has alreadyauthenticated a user and/or user device and provides the basis forcommunicating that trust in the form of pre-authenticated credentials.

Based on the entity 104 being a trusted entity, the trust component 102processes the pre-authenticated credentials and sends at least identityinformation extracted therefrom or associated therewith to anapplication component 106. The application component 106 can be a singleapplication or multiple applications of one or more system(s), eachapplication of which can be associated with a service or functionalitythat is exposed based on the proper identity information. Once exposed,the service facilitates communications between a source 110 and adestination 112.

In one implementation, the trusted entity 104 can be a network service(e.g., a network log-in service) that has already processed access bythe source 110 (e.g., a portable computer) to a network, for example.Thus, by utilizing this already-existing trust relationship, the trustcomponent 102 will deem the source 110 an authenticated entity.Accordingly, in one general implementation, the trust component 102 cansignal the application component 106 to expose the desired functionalitythereby allowing connectivity and/or some level of communicationsbetween the source 110 and the destination 112.

In an alternative implementation, the trust component 102 sends moredetailed information then a general signal to expose the applicationfunctionality such that the application component 106 can use the moredetailed information for internally controlling or managing applicationprocesses or services for the source 110. For example, where theapplication component 106 is a suite of applications designed to worktogether, the more detailed information can include data that exposesfunctionality for only one of the applications but not another, orexposes a limited interface of a single application rather than allfunctionality of a single application. In other words, based on theamount and type of information communicated in the pre-authenticatedcredentials, or that is stored and can be retrieved using thepre-authenticated credentials, a wide variety of management and controlcan be obtained.

In another implementation, the system 100 is employed in the context ofmobile or IP-based voice communications. Here, the trusted entity 104can be a communications server disposed on a network, thepre-authenticated credentials include at least one of IP-based deviceidentity data or user identity data, and the application service 108facilitates voice communications between the source 110, which can be anIP-based capable phone or mobile device (e.g., a smartphone) and thedestination 112, which can be another phone. In other words, the userhas accessed the communications server (or trusted entity 104) directly(e.g., via the Internet) or indirectly via the application component 106(e.g., a client communications application interface to thecommunications server) to initiate IP-based phone conversation to thedestination 112.

As part of this process, the user should have had to successfullyauthenticate to the communications server (or trusted entity 104). Thus,once successfully authenticated to the communications server, the usershould not be required to go through another log-in process, forexample, but be allowed to obtain the functionality of the clientapplication and complete the call through to the destination 112unhindered by such conventional processes of multiple log-ins.

The pre-authenticated credentials can be communicated using a mediasession protocol such as SIP. Thus, the pre-authenticated credentialscan include information beyond just a username, password, e-mailaddress, or PIN, for example, but also quality-of-service (QoS)information related to the subscriber subscription package and levels ofservice. For example, the QoS information, which can be retrieved basedon the pre-authenticated credentials, can include the duration of thecall (e.g., only twenty minutes), how to bill the IP-based call (e.g.,credit card, calling card), where to send the call invoice information(e.g., via email to the user), and so on. Other information that can besent in the pre-authenticated credentials or accessed using thepre-authenticated credentials can include personality information forimplementation for the given call. This is described infra.

In other words, a communications platform (the trusted entity 104) whichis passing the audio of the telephone call (e.g., SIP-based) to areceiving application can also provide or validate the originatinguser's authentication identity information. This enables the receivingapplication to treat the connection as authenticated. A scenario is thatthe user initiates a voice/data call from a device (e.g., SIP phone,smartphone running a communications application, a PC running acommunications application, etc.). Since the user is authenticated dueto the previous authentication of the communications platform or as aSIP user, the local or device application can bypass the login processbased upon the existing identity received from the communicationsplatform. The local or device application can then provide a differentexperience without requiring the extra conventional steps ofauthorization as current speech applications must do today.

Thus, a “single sign-on” is one of the benefits obtained by theimplementation of an authentication system 100 that enables access to amultiplicity of services based on a single “sign-on” or authenticationprocess. While this also has the goal of reducing the need to providecredentials to multiple services, one sign-on should be required to takeplace. In one example, a telephone sign-on is no longer required when acall is made from a client that has been pre-authenticated.

FIG. 2 illustrates a more detailed implementation of a system 200 forpre-authentication processing. Here, the trusted entity 106 of FIG. 1 isillustrated as a middle-tier (or mid-tier) component 202 (e.g., IP-basedweb-accessible communications server) where initial authentication cantake place. The mid-tier component 202 can include an authenticationcomponent 204 via which a user 206 of a client system 208 (e.g.,computer) had previously interacted (e.g., for a login process) forcreation of the authentication credentials. For example, the client user206 can access the mid-tier component 202 via a client applicationcomponent 210 to configure an IP-based call (e.g., voice-over-IP(VoIP)). The client application component 210 can include an applicationwith an interface suitable for interfacing to a mid-tier application212. The mid-tier application 212 can be configured to prompt the userfor log-in information, for example. Based on the log-in information,the mid-tier authentication component 204 creates authenticationcredentials.

After configuring the desired process (e.g., an IP-based call) at themid-tier component 202, the user 206 at the client system 208 caninitiate IP communications via the client system 208 over an IP network214 to the destination device 112 (e.g., a cell phone, VoIP phone). Inresponse thereto, a client trust component 216 can receive thepre-authenticated credentials from the mid-tier component 202, therebyautomatically allowing the user 206 to conduct IP voice communicationsfrom the client system 208 to the destination 112. The client trustcomponent 216 can be triggered to seek the pre-authenticated credentialsby the user interacting with the client application component 210. Thisprovides a transparent authentication process for the user 206.

In yet another example, the user 206 desires to use a wire/wireless IPphone 218 to communicate to the destination 112. In this scenario, oncethe user 206 has configured the communications via the client system 208to the mid-tier component 202, the pre-authenticated credentials arepassed to the client trust component 216, which then can become thetrusted entity relative to the IP phone 218. In other words, thepre-authenticated credentials can include information related to the IPphone 218 such that use of the phone 218 automatically triggerscomparison of unique phone information with the phone informationprovided in the pre-authenticated credentials. Based on a successfulverification, the phone 218 can now be used to communicate through theclient system 208 to the destination 112. The IP phone can communicatevia different conventional wireless technologies such as Bluetooth,WiFi, WiMax, and wired technologies such as USB, IEEE 1394, IEEE 802.3,and so on. The phone 218 can also include a phone trust component 220that receives the same set of pre-authenticated credentials received bythe client system 208 from the mid-tier component 202, or a modified setthat also includes client system information that facilitatesestablishing a trusted relationship between the phone 218 and the clientsystem 208.

The client trust components (216 and 220) can be in the form ofindividual and downloadable software components that facilitateobtainment of the pre-authenticated credentials benefits describedherein. The clients trust components can be designed for suitableimplementation for different types of systems such as computing systemsand cell phones, IP phones, etc., essentially any device that includesat least voice communications capability.

FIG. 3 illustrates a system 300 for applying selectivity to applicationservices or functionality based on the pre-authenticated credentials.Here, the client application 210 includes multiple services orfunctionality 302 (denoted SERVICE₁, . . . , SERVICE_(N), where N is apositive integer) one or more of which can be utilized to facilitate theuser experience for the desired communications. The pre-authenticatedcredentials obtained from the trusted entity 104 by the trust component216 can further include profile data or information that defines accessto the services or functionality 302. Permissions information can beincluded and processed by a permissions component 304 of the clientcomponent 210 that extracts the permissions information for ultimatelydetermining which of the services 302 can be exposed and/or the level(or degree) of a given service to expose. A selection component 306facilitates selection of the one or more services 302 that willultimately be employed for the communications between the source 110 anddestination.

The system 300 illustrates a datastore 308 of user profile data 310 thatcan be accessed based on one or more pieces of data in thepre-authenticated credentials as provided after authentication, or inpreparation for assembling the pre-authenticated credentials. Thedatastore 308 can reside as a separate network node or in associationwith the trusted entity 104. The profile data 310 can include QoSinformation, accounting information, personality information, and so on,any amount of which can be transmitted in the pre-authenticatedcredentials or along therewith.

In one example, in the case of an automated attendant (or interactivevoice response (IVR)) system, the implementation can include theoffering of powerful authorization features by leveraging the user'sidentity. A user can pre-configure a personality skin, which includesattributes associated with being chatty, stodgy, brisk, verbose, etc.,as well as others. This information can then be activated automaticallyas part of the attendant dialog after the user system receives thepre-authenticated credentials. Other data can include a trusted longdistance service based on authentication of an improved dial plan.Moreover, different behavior can be based on dial plans (essentiallyproviding the caller an internal caller experience that is differentfrom when the caller is an external caller that is not allowed to diallong distance calls).

Other examples include automatically invoking most-recently-used (MRU)data such that the caller always is presented with the correct JohnSmith rather than having to navigate of list of multiple instances ofthe same name. Other capabilities include, for example, leveraging rulesinvoked in the mid-tier system, employing probabilistic stacking frombuildings/location, learning and reasoning about caller and/or calleebehavior, call interactions, call location information, accessing andsearching contacts information or buddy lists from other applications,and so on.

FIG. 4 illustrates a system 400 where different services fromcorrespondingly different applications can be accessed based on thepre-authenticated credentials information. The trust component 102(similar to trust component 216 of FIG. 2) receives and processes thepre-authenticated credentials, and forwards portions thereof and/orassociated profile information to one or both of the permissionscomponent 304 and the selection component 306 for the selection andexposure, in the client application component 210, of the functionalityor services of multiple client applications 402 (denoted APP₁, . . . ,APP_(S)) having corresponding services (denoted SERVICE(S)₁, . . . ,SERVICE(S)_(S)).

The permissions can include exposing one service of one of theapplications 402 and another service of another of the applications 402,as facilitated by the selection component 306. Additionally, asdescribed supra, a service can be selected, but the level of the serviceis reduced or increased based on the credentials and/or associatedprofile data. In other words, permission to expose a service is notpermission to utilize the full functionality of the service; however, itcan facilitate full exposure, as configured.

When the source 110 is activated by the client user, this canautomatically trigger searching for the pre-authenticated credentials byaccessing known sources of such information, for example, the trustedentity, or other similarly designated sources. In an alternativeimplementation, certain user interaction with the client component 210facilitates search and retrieval of the credentials. This interactioncan includes seeking certain services, dialing a certain number oraddress, and other types of information that can be used to infer intentof the user.

FIG. 5 illustrates a system 500 that employs a machine learning andreasoning (LR) component 502 which facilitates automating one or morefeatures. The subject architecture (e.g., in connection with selection)can employ various LR-based schemes for carrying out various aspectsthereof. For example, a process for determining what information toinclude in the pre-authenticated credentials or in association therewithcan be facilitated via an automatic classifier system and process.

A classifier is a function that maps an input attribute vector, x=(x1,x2, x3, x4, xn), to a class label class(x). The classifier can alsooutput a confidence that the input belongs to a class, that is,f(x)=confidence (class(x)). Such classification can employ aprobabilistic and/or other statistical analysis (e.g., one factoringinto the analysis utilities and costs to maximize the expected value toone or more people) to prognose or infer an action that a user desiresto be automatically performed.

As used herein, terms “to infer” and “inference” refer generally to theprocess of reasoning about or inferring states of the system,environment, and/or user from a set of observations as captured viaevents and/or data. Inference can be employed to identify a specificcontext or action, or can generate a probability distribution overstates, for example. The inference can be probabilistic—that is, thecomputation of a probability distribution over states of interest basedon a consideration of data and events. Inference can also refer totechniques employed for composing higher-level events from a set ofevents and/or data. Such inference results in the construction of newevents or actions from a set of observed events and/or stored eventdata, whether or not the events are correlated in close temporalproximity, and whether the events and data come from one or severalevent and data sources.

A support vector machine (SVM) is an example of a classifier that can beemployed. The SVM operates by finding a hypersurface in the space ofpossible inputs that splits the triggering input events from thenon-triggering events in an optimal way. Intuitively, this makes theclassification correct for testing data that is near, but not identicalto training data. Other directed and undirected model classificationapproaches include, for example, various forms of statisticalregression, naïve Bayes, Bayesian networks, decision trees, neuralnetworks, fuzzy logic models, and other statistical classificationmodels representing different patterns of independence can be employed.Classification as used herein also is inclusive of methods used toassign rank and/or priority.

As will be readily appreciated from the subject specification, thesubject architecture can employ classifiers that are explicitly trained(e.g., via a generic training data) as well as implicitly trained (e.g.,via observing user behavior, receiving extrinsic information). Forexample, SVM's are configured via a learning or training phase within aclassifier constructor and feature selection module. Thus, theclassifier(s) can be employed to automatically learn and perform anumber of functions according to predetermined criteria.

For example, over time an opt-in or opt-out setting can be changedand/or triggered based on learned user interaction behavior. In otherwords, based on the number of times the users interacts with the system,the level of expertise can be increased in accordance with a learned orcomputed improvement in user interaction. Along theses lines, as theuser progresses in expertise, fewer suggestions or helping prompts willbe presented thereby providing a progressively efficient and effectiveexperience over time. A user who progresses to an expert level will notbe annoyed or hindered with the same beginner-level prompts orinformation that have been surpassed. Alternatively, the suggestions orprompts can increase in complexity or be more obscure as the userprogresses to present more detailed information about behavior in whichthe user appears to be frequently interested.

In another example of learning and reasoning, if the user routinely,most recently, or based on the past two weeks has requested or voiced tothe auto attendant a particular user, a list of users can be presentedthat is more focused and which can be more specific to a product group,for example, that will be presented. This information can beautomatically extracted from the user contacts, for example, or othersources of information of the user. This can also be learned based onuser interaction with the system and/or applications.

Stacking of information presented to the user when the user is to bepresented with a listing of potential choices can be based on geographiclocation. For example, probabilistic stacking can be facilitated byreasoning about a Joe Smith located five miles away in a companybuilding versus a Joe Smith located in an adjacent building, and who inall likelihood would be in the same working group, physically contactedmore often, and so on.

Again, these are features that can be communicated as part of thecredentials or in association therewith when received by the trustcomponent 216 (or trust component 102 of FIG. 1).

FIG. 6 illustrates a system 600 of one or more sources 602 of credentialinformation that can be received and processed by the trust component102 for pre-authentication credentials. The sources 602 include themid-tier system 202 of FIG. 2 for obtaining and generating thepre-authentication credentials for use by the application component 106.In addition to, or separately from the mid-tier system authenticationcapabilities, speaker verification 604 can be employed as a means ofcreating and providing the pre-authentication credentials to the trustcomponent 102. Again, in addition to, or separately from the mid-tiersystem authentication capabilities and speaker verification 604,PIN-based verification 606 can be employed as a means of creating andproviding the pre-authentication credentials to the trust component 102.Other sources can be employed including biometrics, and so on.

The trust component 102 is shown as a component which can take inputfrom any or all of these sources 602. However, in practice, each of thesources 602 can have a dedicated trust component. The output of thetrust component 102 is the validation of the identity to the application106, which can then treat the communications (or session) asauthenticated, and apply authorization, as necessary, to a caller interms of information access and transactional capabilities.

FIG. 7 illustrates a method of authentication processing. While, forpurposes of simplicity of explanation, the one or more methodologiesshown herein, for example, in the form of a flow chart or flow diagram,are shown and described as a series of acts, it is to be understood andappreciated that the methodologies are not limited by the order of acts,as some acts may, in accordance therewith, occur in a different orderand/or concurrently with other acts from that shown and describedherein. For example, those skilled in the art will understand andappreciate that a methodology could alternatively be represented as aseries of interrelated states or events, such as in a state diagram.Moreover, not all acts illustrated in a methodology may be required fora novel implementation.

At 700, a first client of a user is authenticated for communicationsservices at a remote location. At 702, authentication credentials arecreated at the remote location for the first client. At 704, a requestis received for communications services from a second client of theuser. At 706, the credentials are transmitted to the second client basedon authentication of the first client. At 708, communications areenabled for the second client based on the pre-authenticatedcredentials.

FIG. 8 illustrates a method of processing user profile informationassociated with the authenticated credentials. At 800, authenticatedcredentials are generated based on authentication of a first user. At802, first user profile information is associated with the credentials.At 804, the credentials and profile information are sent to a secondclient of the first user. At 806, the pre-authenticated credentials andprofile information are processed at the second client of the first userto expose first client functionality for the benefit of the secondclient.

FIG. 9 illustrates a method of call processing using an automatedattendant and pre-authenticated credentials. At 900, authenticatedcredentials are generated based on authentication of first user. At 902,the first user accesses the attendant. At 904, the pre-authenticatedcredentials are sent to the attendant. At 906, the attendant accessesuser profile information associated with the pre-authenticatedcredentials. The attendant processes and presents dialog to the firstuser based on the user profile information.

FIG. 10 illustrates a method of processing user interaction and behaviorinformation based on pre-authenticated credentials. At 1000,authenticated credentials are generated based on authentication of afirst user. At 1002, the first user accesses the attendant. At 1004, thepre-authenticated credentials are sent to the attendant. At 1006, theattendant accesses user interaction and behavior information based onthe credentials. At 1008, the attendant presents dialog based on MRUdata, and/or probabilistic stacking due to geolocation informationextracted from the interaction and behavior information.

FIG. 11 illustrates a method of call processing using a private virtualassistant. At 1100, authenticated credentials are generated at a trustedentity based on authentication of first client of a user. At 1102, callcommunications are initiated via a second client of the user to acallee. The call can be a VoIP call using SIP. At 1104, theauthenticated credentials are then sent from the entity to the secondclient based on the trusted relationship between the first client andthe entity. At 1106, the call is authorized form the second client. At1108, a private virtual assistant is launched based on profileinformation in the credentials. At 1110, most-likely callee informationis presented based on contacts and/or buddy list data of the user. At1112, the call is connected based on callee information selected by theuser.

FIG. 12 illustrates a method of processing user call information basedon the pre-authenticated credentials. At 1200, authenticated credentialsare generated at a trusted entity based on authentication of firstclient of a user. At 1202, call communications are initiated via asecond client of the user to a callee. At 1204, the authenticatedcredentials are then sent from the entity to the second client based onthe trusted relationship between the first client and the entity. At1206, the credentials are processed to retrieve user call informationfrom a datastore. At 1208, the call by the user is managed based on theuser call information.

As used in this application, the terms “component” and “system” areintended to refer to a computer-related entity, either hardware, acombination of hardware and software, software, or software inexecution. For example, a component can be, but is not limited to being,a process running on a processor, a processor, a hard disk drive,multiple storage drives (of optical and/or magnetic storage medium), anobject, an executable, a thread of execution, a program, and/or acomputer. By way of illustration, both an application running on aserver and the server can be a component. One or more components canreside within a process and/or thread of execution, and a component canbe localized on one computer and/or distributed between two or morecomputers.

Referring now to FIG. 13, there is illustrated a block diagram of acomputing system 1300 operable to execute pre-authentication credentialcreation and/or processing in accordance with the disclosedarchitecture. In order to provide additional context for various aspectsthereof, FIG. 13 and the following discussion are intended to provide abrief, general description of a suitable computing system 1300 in whichthe various aspects can be implemented. While the description above isin the general context of computer-executable instructions that may runon one or more computers, those skilled in the art will recognize that anovel embodiment also can be implemented in combination with otherprogram modules and/or as a combination of hardware and software.

Generally, program modules include routines, programs, components, datastructures, etc., that perform particular tasks or implement particularabstract data types. Moreover, those skilled in the art will appreciatethat the inventive methods can be practiced with other computer systemconfigurations, including single-processor or multiprocessor computersystems, minicomputers, mainframe computers, as well as personalcomputers, hand-held computing devices, microprocessor-based orprogrammable consumer electronics, and the like, each of which can beoperatively coupled to one or more associated devices.

The illustrated aspects may also be practiced in distributed computingenvironments where certain tasks are performed by remote processingdevices that are linked through a communications network. In adistributed computing environment, program modules can be located inboth local and remote memory storage devices.

A computer typically includes a variety of computer-readable media.Computer-readable media can be any available media that can be accessedby the computer and includes volatile and non-volatile media, removableand non-removable media. By way of example, and not limitation,computer-readable media can comprise computer storage media andcommunication media. Computer storage media includes volatile andnon-volatile, removable and non-removable media implemented in anymethod or technology for storage of information such ascomputer-readable instructions, data structures, program modules orother data. Computer storage media includes, but is not limited to, RAM,ROM, EEPROM, flash memory or other memory technology, CD-ROM, digitalvideo disk (DVD) or other optical disk storage, magnetic cassettes,magnetic tape, magnetic disk storage or other magnetic storage devices,or any other medium which can be used to store the desired informationand which can be accessed by the computer.

With reference again to FIG. 13, the exemplary computing system 1300 forimplementing various aspects includes a computer 1302, the computer 1302including a processing unit 1304, a system memory 1306 and a system bus1308. The system bus 1308 provides an interface for system componentsincluding, but not limited to, the system memory 1306 to the processingunit 1304. The processing unit 1304 can be any of various commerciallyavailable processors. Dual microprocessors and other multi-processorarchitectures may also be employed as the processing unit 1304.

The system bus 1308 can be any of several types of bus structure thatmay further interconnect to a memory bus (with or without a memorycontroller), a peripheral bus, and a local bus using any of a variety ofcommercially available bus architectures. The system memory 1306includes read-only memory (ROM) 1310 and random access memory (RAM)1312. A basic input/output system (BIOS) is stored in a non-volatilememory 1310 such as ROM, EPROM, EEPROM, which BIOS contains the basicroutines that help to transfer information between elements within thecomputer 1302, such as during start-up. The RAM 1312 can also include ahigh-speed RAM such as static RAM for caching data.

The computer 1302 further includes an internal hard disk drive (HDD)1314 (e.g., EIDE, SATA), which internal hard disk drive 1314 may also beconfigured for external use in a suitable chassis (not shown), amagnetic floppy disk drive (FDD) 1316, (e.g., to read from or write to aremovable diskette 1318) and an optical disk drive 1320, (e.g., readinga CD-ROM disk 1322 or, to read from or write to other high capacityoptical media such as the DVD). The hard disk drive 1314, magnetic diskdrive 1316 and optical disk drive 1320 can be connected to the systembus 1308 by a hard disk drive interface 1324, a magnetic disk driveinterface 1326 and an optical drive interface 1328, respectively. Theinterface 1324 for external drive implementations includes at least oneor both of Universal Serial Bus (USB) and IEEE 1394 interfacetechnologies.

The drives and their associated computer-readable media providenonvolatile storage of data, data structures, computer-executableinstructions, and so forth. For the computer 1302, the drives and mediaaccommodate the storage of any data in a suitable digital format.Although the description of computer-readable media above refers to aHDD, a removable magnetic diskette, and a removable optical media suchas a CD or DVD, it should be appreciated by those skilled in the artthat other types of media which are readable by a computer, such as zipdrives, magnetic cassettes, flash memory cards, cartridges, and thelike, may also be used in the exemplary operating environment, andfurther, that any such media may contain computer-executableinstructions for performing novel methods of the disclosed architecture.

A number of program modules can be stored in the drives and RAM 1312,including an operating system 1330, one or more application programs1332, other program modules 1334 and program data 1336. The one or moreapplication programs 1332 and other program modules 1334 can include thetrust component 102, trusted entity 104, and application component 106of FIG. 1, the mid-tier application component 212, authenticationcomponent 204, client trust components (216 and 220), and clientapplication component 210 of FIG. 2, the permissions component 304,selection component 306, and services 302 of FIG. 3 and, learning andreasoning component 503 of FIG. 5, for example.

All or portions of the operating system, applications, modules, and/ordata can also be cached in the RAM 1312. It is to be appreciated thatthe disclosed architecture can be implemented with various commerciallyavailable operating systems or combinations of operating systems.

A user can enter commands and information into the computer 1302 throughone or more wired/wireless input devices, for example, a keyboard 1338and a pointing device, such as a mouse 1340. Other input devices (notshown) may include a microphone, an IR remote control, a joystick, agame pad, a stylus pen, touch screen, or the like. These and other inputdevices are often connected to the processing unit 1304 through an inputdevice interface 1342 that is coupled to the system bus 1308, but can beconnected by other interfaces, such as a parallel port, an IEEE 1394serial port, a game port, a USB port, an IR interface, etc.

A monitor 1344 or other type of display device is also connected to thesystem bus 1308 via an interface, such as a video adapter 1346. Inaddition to the monitor 1344, a computer typically includes otherperipheral output devices (not shown), such as speakers, printers, etc.

The computer 1302 may operate in a networked environment using logicalconnections via wired and/or wireless communications to one or moreremote computers, such as a remote computer(s) 1348. The remotecomputer(s) 1348 can be a workstation, a server computer, a router, apersonal computer, portable computer, microprocessor-based entertainmentappliance, a peer device or other common network node, and typicallyincludes many or all of the elements described relative to the computer1302, although, for purposes of brevity, only a memory/storage device1350 is illustrated. The logical connections depicted includewired/wireless connectivity to a local area network (LAN) 1352 and/orlarger networks, for example, a wide area network (WAN) 1354. Such LANand WAN networking environments are commonplace in offices andcompanies, and facilitate enterprise-wide computer networks, such asintranets, all of which may connect to a global communications network,for example, the Internet.

When used in a LAN networking environment, the computer 1302 isconnected to the local network 1352 through a wired and/or wirelesscommunication network interface or adapter 1356. The adaptor 1356 mayfacilitate wired or wireless communication to the LAN 1352, which mayalso include a wireless access point disposed thereon for communicatingwith the wireless adaptor 1356.

When used in a WAN networking environment, the computer 1302 can includea modem 1358, or is connected to a communications server on the WAN1354, or has other means for establishing communications over the WAN1354, such as by way of the Internet. The modem 1358, which can beinternal or external and a wired or wireless device, is connected to thesystem bus 1308 via the serial port interface 1342. In a networkedenvironment, program modules depicted relative to the computer 1302, orportions thereof, can be stored in the remote memory/storage device1350. It will be appreciated that the network connections shown areexemplary and other means of establishing a communications link betweenthe computers can be used.

The computer 1302 is operable to communicate with any wireless devicesor entities operatively disposed in wireless communication, for example,a printer, scanner, desktop and/or portable computer, portable dataassistant, communications satellite, any piece of equipment or locationassociated with a wirelessly detectable tag (e.g., a kiosk, news stand,restroom), and telephone. This includes at least Wi-Fi and Bluetooth™wireless technologies. Thus, the communication can be a predefinedstructure as with a conventional network or simply an ad hoccommunication between at least two devices.

Wi-Fi, or Wireless Fidelity, allows connection to the Internet from acouch at home, a bed in a hotel room, or a conference room at work,without wires. Wi-Fi is a wireless technology similar to that used in acell phone that enables such devices, for example, computers, to sendand receive data indoors and out; anywhere within the range of a basestation. Wi-Fi networks use radio technologies called IEEE 802.11x (a,b, g, etc.) to provide secure, reliable, fast wireless connectivity. AWi-Fi network can be used to connect computers to each other, to theInternet, and to wire networks (which use IEEE 802.3 or Ethernet).

Referring now to FIG. 14, there is illustrated a schematic block diagramof an exemplary computing environment 1400 that can facilitate executepre-authentication credential creation and/or processing in accordancewith the disclosed architecture. The system 1400 includes one or moreclient(s) 1402. The client(s) 1402 can be hardware and/or software(e.g., threads, processes, computing devices). The client(s) 1402 canhouse cookie(s) and/or associated contextual information, for example.

The system 1400 also includes one or more server(s) 1404. The server(s)1404 can also be hardware and/or software (e.g., threads, processes,computing devices). The servers 1404 can house threads to performtransformations by employing the architecture, for example. One possiblecommunication between a client 1402 and a server 1404 can be in the formof a data packet adapted to be transmitted between two or more computerprocesses. The data packet may include a cookie and/or associatedcontextual information, for example. The system 1400 includes acommunication framework 1406 (e.g., a global communication network suchas the Internet) that can be employed to facilitate communicationsbetween the client(s) 1402 and the server(s) 1404.

Communications can be facilitated via a wired (including optical fiber)and/or wireless technology. The client(s) 1402 are operatively connectedto one or more client data store(s) 1408 that can be employed to storeinformation local to the client(s) 1402 (e.g., cookie(s) and/orassociated contextual information). Similarly, the server(s) 1404 areoperatively connected to one or more server data store(s) 1410 that canbe employed to store information local to the servers 1404.

What has been described above includes examples of the disclosedarchitecture. It is, of course, not possible to describe everyconceivable combination of components and/or methodologies, but one ofordinary skill in the art may recognize that many further combinationsand permutations are possible. Accordingly, the novel architecture isintended to embrace all such alterations, modifications and variationsthat fall within the spirit and scope of the appended claims.Furthermore, to the extent that the term “includes” is used in eitherthe detailed description or the claims, such term is intended to beinclusive in a manner similar to the term “comprising” as “comprising”is interpreted when employed as a transitional word in a claim.

What is claimed is:
 1. A computer-implemented authentication method,comprising: authenticating, by a trusted entity, a first client of auser for communications services at a remote location and generatingpre-authenticated credentials at the remote location for the firstclient; receiving, by a trust component at the first client, thepre-authenticated credentials from the trusted entity; transmitting, bya transmitting component, the authenticated credentials to the secondclient based on authentication of the first client; and receiving, by anapplication component at the first client, a request for communicationsservices from a second client of the user and providing an applicationservice based on the pre-authenticated credentials received by the trustcomponent.
 2. The method of claim 1, wherein the pre-authenticatedcredentials are received via a media session protocol.
 3. The method ofclaim 2, wherein the media session protocol is session initiationprotocol (SIP).
 4. The method of claim 1, wherein the trusted entity isa communications server, the pre-authenticated credentials include atleast one of a device identity data or user identity data, and theapplication service facilitates voice communications between a mobiledevice and the communications server.
 5. The method of claim 1, whereinthe pre-authenticated credentials include a level of permission relatedto a type of the application service that is provided by the applicationcomponent.
 6. The method of claim 1, wherein the trusted entity receivesthe pre-authenticated credentials from another trusted entity.
 7. Themethod of claim 1, further comprising selecting, by a permissionscomponent, the application service from one or more applications basedon a permission associated with the pre-authenticated credentials. 8.The method of claim 1, wherein the trust component and the applicationcomponent are of a client that receives the pre-authenticatedcredentials for connecting an IP-based phone call via the client to aremote destination.
 9. The method of claim 1, further comprisingemploying, by a machine learning and reasoning component, aprobabilistic and/or statistical-based analysis to prognose or infer anaction that is desired to be automatically performed.
 10. The method ofclaim 11, wherein the pre-authenticated credentials include user profileinformation that defines a quality-of-service for communicating with adestination device.
 11. A computer-implemented method of authenticationprocessing, comprising: authenticating a first client of a user forcommunications services at a remote location; generating authenticatedcredentials at the remote location for the first client; receiving arequest for communications services from a second client of the user;transmitting the authenticated credentials to the second client based onauthentication of the first client; and enabling the communicationsservices for the second client based on the authenticated credentials.12. The method of claim 11, further comprising accessing the remotelocation via a web interface, which remote location is a network-basedmiddle-tier communications server that processes SIP-basedcommunications from the first client.
 13. The method of claim 11,wherein the first client or the second client is part of a voice-over-IPcommunications device.
 14. The method of claim 11, further comprisingincluding personality information in the authenticated credentials thatchanges how the second client, which is an automated attendant,interacts with a user.
 15. The method of claim 11, further comprisingemploying more-recently-used information based on the authenticatedcredentials to present information to the user for selection.
 16. Themethod of claim 11, further comprising controlling quality-of-serviceparameters for the second client based on the authenticated credentials.17. The method of claim 11, further comprising automatically exposingfunctionality of a personal virtual assistant based on the authenticatedcredentials, the functionality exposed based on knowledge of a contactlist or buddy list.
 18. The method of claim 11, further comprisingselecting services from different applications of the first client basedon the authenticated credentials and providing the selected services forcommunications by the second client.
 19. The method of claim 11, furthercomprising learning and reasoning about client or user interactivebehavior and automating presentation of information to the user basedthereon.
 20. A computer-implemented system for authenticationprocessing, comprising: computer-implemented means for authenticating afirst client of a user for communications services at a remote location;computer-implemented means for generating authenticated credentials atthe remote location for the first client; computer-implemented means forreceiving a request for communications services from a second client ofthe user; computer-implemented means for transmitting the authenticatedcredentials to the second client based on authentication of the firstclient; and computer-implemented means for enabling the communicationsservices for the second client.